Clear two types of tokens on Accounts.setPassword

Author: glasser

History.md

@@ -24,7 +24,8 @@
 * `Blaze.remove` on a template's view now correctly removes the DOM
   when the template was inserted using `Blaze.renderWithData`. #3130
 
-* Expire a user's password reset tokens when their password is changed.
+* Expire a user's password reset and login tokens in all circumstances when
+  their password is changed.
 
 * Require plain objects as the update parameter when doing replacements
   in server-side collections.

packages/accounts-password/password_server.js

@@ -331,7 +331,12 @@ Accounts.setPassword = function (userId, newPlaintextPassword) {
 
   Meteor.users.update(
     {_id: user._id},
-    { $unset: {'services.password.srp': 1}, // XXX COMPAT WITH 0.8.1.3
+    {
+      $unset: {
+        'services.password.srp': 1, // XXX COMPAT WITH 0.8.1.3
+        'services.password.reset': 1,
+        'services.resume.loginTokens': 1
+      },
       $set: {'services.password.bcrypt': hashPassword(newPlaintextPassword)} }
   );
 };

packages/accounts-password/password_tests.js

@@ -873,8 +873,9 @@ if (Meteor.isServer) (function () {
     'passwords - setPassword',
     function (test) {
       var username = Random.id();
+      var email = username + '-intercept@example.com';
 
-      var userId = Accounts.createUser({username: username});
+      var userId = Accounts.createUser({username: username, email: email});
 
       var user = Meteor.users.findOne(userId);
       // no services yet.
@@ -886,12 +887,22 @@ if (Meteor.isServer) (function () {
       var oldSaltedHash = user.services.password.bcrypt;
       test.isTrue(oldSaltedHash);
 
+      // Send a reset password email (setting a reset token) and insert a login
+      // token.
+      Accounts.sendResetPasswordEmail(userId, email);
+      Accounts._insertLoginToken(userId, Accounts._generateStampedLoginToken());
+      test.isTrue(Meteor.users.findOne(userId).services.password.reset);
+      test.isTrue(Meteor.users.findOne(userId).services.resume.loginTokens);
+
       // reset with the same password, see we get a different salted hash
       Accounts.setPassword(userId, 'new password');
       user = Meteor.users.findOne(userId);
       var newSaltedHash = user.services.password.bcrypt;
       test.isTrue(newSaltedHash);
       test.notEqual(oldSaltedHash, newSaltedHash);
+      // No more tokens.
+      test.isFalse(Meteor.users.findOne(userId).services.password.reset);
+      test.isFalse(Meteor.users.findOne(userId).services.resume.loginTokens);
 
       // cleanup
       Meteor.users.remove(userId);